多媒體網路安全實驗室
An efficient and security dynamic
identity based authentication protocol
for multi-server architecture using
smart cards
作者:JongHyup LEE
出處:2011 Elsevier Journal of Network and Computer
Applications
報告人:陳鈺惠
日期:2013/12/04
多媒體網路安全實驗室
Outline
1
Introduction
2
Overview of Sood et al.’s scheme
3
4
Proposed scheme
4
3
Protocol analysis
5
4
Conclusion
2
多媒體網路安全實驗室
1.Introduction(1/1)
With the rapid development of the Internet and
electronic commerce technology, many services
are provided through the Internet such as online
shopping, online game.
This paper propose an efficient and security
dynamic identity based authentication protocol
for multi-server architecture using smart cards to
tackle these problems.
3
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme
Ui
Sk
CS
IDi
Pi
SIDk
yi
x
b
CIDi
SK
Ni1
The ith user
The kth service providing server
The control server
The identity of the user Ui
The password of the user Ui
The identity of the server Sk
The random number chosen by CS for user Ui
The master secret key maintained by CS
A random number chosen by the user for registration
The dynamic identity generated by the user Ui for authentication
A session key shared among the user, the service providing server and the CS
A random number generated by the user Ui's smart card
Ni2
A random number generated by the server Sk for the user Ui
Ni3
A random number generated by the CS for the user Ui
h(·)
A one-way hash function
Exclusive-OR operation
Message concatenation operation
⊕
∥
4
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme (1/8)
Registration phase
Ui
Sk
CS
Ai=h(IDi||b)
Bi=h(b⊕Pi)
Ai 、 Bi
(Fi、Gi、h(·))
Fi= Ai⊕yi
Gi=Bi⊕h(yi)⊕h(x)
Ci=Ai⊕h(yi)⊕x
Stores (Ci、yi⊕x)
Smart card
Di=b⊕h(IDi||Pi)
Ei=h(IDi||Pi)⊕Pi
Smart card(Di、Ei、Fi、Gi、h(·))
(SIDk、SKk)
Stores(SIDk、SKk⊕h(x||SIDk))
5
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme (2/8)
Login phase
Ui
Sk
IDi* Pi*
Smart card
Ei*=h(IDi*||Pi*)⊕Pi*
Ei*=Ei?
b=Di⊕h(IDi||Pi)，Ai=h(IDi||b)
Bi=h(b⊕Pi)，yi=Fi⊕Ai
h(x)=Gi⊕Bi⊕h(yi)，Zi=h2(x)⊕Ni1
CIDi=Ai⊕h(yi)⊕h(x)⊕Ni1
Mi=h(h(x)||yi||SIDk||Ni1)
(SIDk、Zi、CIDi、Mi)
6
CS
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme (3/8)
Authentication and session key agreement phase
Ui
Sk
CS
Ri=Ni2⊕SKk
(SIDk、Zi、CIDi、Mi、Ri)
Ni1=Zi⊕h2(x)，Ni2=Ri⊕SKk
Ci*=CIDi⊕Ni1⊕h(x)⊕x
Ci*=Ci?，extracts yi
Mi*=h(h(x)||yi||SIDk||Ni1)
Mi*=Mi?
Ki=Ni1⊕Ni3⊕h(SKk||Ni2)
Xi=h(IDi||yi||Ni1)⊕h(Ni1⊕Ni2⊕Ni3)
Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]
Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1)
(Ki、Xi、Vi、Ti)
7
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme (4/8)
Authentication and session key agreement phase
Ui
Sk
Ni1⊕Ni3=Ki⊕h(SKk||Ni2)
h(IDi||yi||Ni1)=Xi⊕h(Ni1⊕Ni2⊕Ni3)
Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]
Vi*=Vi?
(Vi、Ti)
Ni2⊕Ni3 Ti⊕h(yi||IDi||h(x)||Ni1)
Vi*=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]
Vi*=Vi?
SK=h(h(IDi||yi||Ni1)||(Ni1⊕Ni2⊕Ni3))
8
CS
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme (5/8)
Leak-of-verifier attack
User have(Dk、Ek、Fk、Gk、h(·)) 、IDk、 Pk
User can compute
bk=Dk⊕h(IDk||Pk)
Ak=h(IDk||b)
yk=Fk⊕Ak
Bk=h(b⊕Pk)
h(x)=Gk⊕Bk⊕h(yk)
Get yk、h(x)
If client leaked yi⊕x、Ci=Ai⊕h(yi)⊕x
Uk get x、h(x)、yi⊕x from yk
then get yi、Ai and h(x)
Uk login
9
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme (6/8)
Leak-of-verifier attack
Uk get random number Ni′1
Compute CID′i=Ai⊕h(yi)⊕h(x)⊕Ni′1
M′i=h(h(x)||yi||SIDj||Ni′1)
Z′i=h2(x)⊕Ni′1
Uk submits the login request message (SIDj、Z′i、CID′i、M′i) to Sj
Sj get random number Ni′2
Compute Ri=Ni2⊕SKj submits to CS
Compute Ni1=Z′i⊕h2(x)、Ni2=Ri⊕SKj
C*i=CID′i⊕Ni′1⊕h(x)⊕x=Ai⊕h(yi)⊕x=Ci
CS compute Mi*=h(h(x)||yi||SIDj||Ni′1)=M′i
Uk get yi⊕x、Ci=Ai⊕h(yi)⊕x
10
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme (7/8)
Stolen smart card attack
If (SIDj、Zi、CIDi、Mi) was eavesdropped and previously valid login
Uk compute
Ni1=Z′i⊕h2(x)
Ai⊕h(yi)=CIDi⊕Ni1⊕h(x)
Uk extract (Di、Ei、Fi、Gi、h(·))
Compute bi⊕Pi =Di⊕Ei
h(bi⊕Pi)=Bi
h(yi)=Gi⊕Bi⊕h(x)
Compute Ai⊕h(yi)⊕(Ai⊕h(yi))
Get yi=Fi⊕Ai
Uk get h(x)、yi
11
多媒體網路安全實驗室
2.Overview of Sood et al.’s scheme (8/8)
Incorrect authentication and session key agreement phase
In registration phase，Ui submits Ai、Bi rather than true identity IDi to CS。
But in step4
Xi=h(IDi||yi||Ni1)⊕h(Ni⊕Ni2⊕Ni3)
Vi=h[h(Ni1⊕Ni2⊕Ni3)||h(IDi||yi||Ni1)]
Ti=Ni2⊕Ni3⊕h(yi||IDi||h(x)||Ni1)
12
多媒體網路安全實驗室
Ui
Sj
CS
IDi
Pi
SIDk
yi
x
b
CIDi
SK
Ni1
The ith user
The service providing server
The control server
The identity of the user Ui
The password of the user Ui
The identity of the server Sk
The random number chosen by CS for user Ui
The master secret key maintained by CS
A random number chosen by the user for registration
The dynamic identity generated by the user Ui for authentication
A session key shared among the user, the service providing server and the CS
A random number generated by the user Ui's smart card
Ni2
A random number generated by the server Sk for the user Ui
Ni3
A random number generated by the CS for the user Ui
h(·)
A one-way hash function
Exclusive-OR operation
Message concatenation operation
⊕
∥
13
多媒體網路安全實驗室
3.Proposed scheme(1/4)
Registration phase
Ui
Sj
CS
Chooses IDi、Pi、b
Ai=h(b||Pi)
(IDi、Ai)
Bi=h(ID||x)，Ci=h(IDi||h(y)||Ai)
Di=Bi⊕h(IDi||Ai)，Ei=Bi⊕h(y||x)
(Ci、Di、Ei、h(·)、h(y))
Smart card
Ui enter b to smart card
smart card stores (Ci、Di、Ei、h(·)、h(y)、b)
14
多媒體網路安全實驗室
3.Proposed scheme(2/4)
Login phase
Ui
Sj
Inputs IDi、Pi smart card computes
Ai=h(b||Pi)，Ci′=(IDi||h(y)||Ai)
Ci′=Ci?
Smart card generates Ni1
Bi=Di⊕h(IDi||Ai)，Fi=h(y)⊕Ni1
Pij=Ei⊕h(h(y)||Ni1||SIDj)
CIDi=Ai⊕h(Bi||Fi||Ni1)
Gi=h(Bi||Ai||Ni1)
(Fi、Gi、Pij、CIDi)
15
CS
多媒體網路安全實驗室
3.Proposed scheme(3/4)
Authentication and session key agreement phase
Ui
Sj
CS
Sj chooses Ni2
Ki=h(SIDj||y)⊕Ni2
Mi=h(h(x||y)||Ni2))
(Fi、Gi、Pij、CIDi、SIDj、Ki、Mi)
Ni2=Ki⊕h(SIDj||y)
Mi′=h(h(x||y)||Ni2)，Mi′=Mi?
Ni1=Fi⊕h(y)
Bi=Pij⊕h(h(y)||Ni1||SIDj)⊕h(y||x)
Ai=CIDi⊕h(Bi||Fi||Ni1)
Gi′=h(Bi||Ai||Ni1)，Gi′=Gi?
CS generates Ni3
Qi=Ni1⊕Ni3⊕h(SIDj||Ni2)
Ri=h(Ai||Bi)⊕h(Ni1⊕Ni2⊕Ni3)
Vi=h(h(Ai||Bi)||h(Ni1⊕Ni2⊕Ni3))
Ti=Ni2⊕Ni3⊕h(Ai||Bi||Ni1)
16
多媒體網路安全實驗室
3.Proposed scheme(4/4)
Authentication and session key agreement phase
Ui
Sj
CS
(Qi 、Ri 、Vi 、Ti)
Ni1⊕Ni3=Qi⊕h(SIDj||Ni2)
h(Ai||Bi)=Ri⊕h(Ni1⊕Ni3⊕Ni2)
Vi′=h(h(Ai||Bi)||h(Ni1⊕Ni3⊕Ni2)
Vi′=Vi?
(Vi、Ti)
Ni2⊕Ni3=Ti⊕h(Ai||Bi||Ni1)
Vi′=h(h(Ai||Bi)||h(Ni2⊕Ni3⊕Ni1))
Vi′=Vi?
SK=h(h(Ai||Bi)||(Ni1⊕Ni2⊕Ni3))
17
多媒體網路安全實驗室
4.Protocol analysis
18
多媒體網路安全實驗室
5.Conclusion
This paper can satisfy all the essential
requirements for multi-server architecture
authentication.
Compared with Sood et al.'s (2011) protocol and
other related protocols, our proposed protocol
keeps the efficiency and is more secure.
Therefore, our protocol is more suitable for the
practical applications.
19
多媒體網路安全實驗室